Re: [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list

Hi James, Thanks for your review. On Tue, Mar 13, 2018 at 10:17:50AM -0700, James Bottomley wrote: > On Tue, 2018-03-13 at 18:35 +0800, Lee, Chun-Yi wrote: > > When getting certificates list from UEFI variable, the original error > > message shows the state number from UEFI firmware. It's hard

Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

On 13 March 2018 at 10:37, Lee, Chun-Yi wrote: > The mok can not be trusted when the secure boot is disabled. Which > means that the kernel embedded certificate is the only trusted key. > > Due to db/dbx are authenticated variables, they needs manufacturer's > KEK for

Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module

On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote: > This patch adds the logic for checking the kernel module's hash > base on blacklist. The hash must be generated by sha256 and enrolled > to dbx/mokx. > > For example: > sha256sum sample.ko > mokutil --mokx --import-hash

Re: [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list

On Tue, 2018-03-13 at 18:35 +0800, Lee, Chun-Yi wrote: > When getting certificates list from UEFI variable, the original error > message shows the state number from UEFI firmware. It's hard to be > read by human. This patch changed the error message to show the > appropriate string. > > The

Re: [PATCH 1/1] efi/libstub: tpm: zero initialize pointer variables for mixed mode

[adding linux-integrity and tpmdd-devel since this was discussed in these ML too] On 03/13/2018 03:09 PM, Ard Biesheuvel wrote: > As reported by Jeremy, running the new TPM libstub code in mixed mode > (i.e., 64-bit kernel on 32-bit UEFI) results in hangs when invoking > the TCG2 protocol, or

[GIT PULL 0/1] EFI fix for v4.16

The following changes since commit 7928b2cbe55b2a410a0f5c1f154610059c57b1b2: Linux 4.16-rc1 (2018-02-11 15:04:29 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git tags/efi-urgent for you to fetch changes up to

[PATCH 1/1] efi/libstub: tpm: zero initialize pointer variables for mixed mode

As reported by Jeremy, running the new TPM libstub code in mixed mode (i.e., 64-bit kernel on 32-bit UEFI) results in hangs when invoking the TCG2 protocol, or when accessing the log_tbl pool allocation. The reason turns out to be that in both cases, the 64-bit pointer variables are not fully

Re: Regression from efi: call get_event_log before ExitBootServices

On 13 March 2018 at 13:41, Jeremy Cline wrote: > On 03/13/2018 03:59 AM, Ard Biesheuvel wrote: >> On 13 March 2018 at 07:47, Hans de Goede wrote: >>> Hi, >>> >>> >>> On 12-03-18 20:55, Thiebaud Weksteen wrote: >> ... Hans, you said you

Re: Regression from efi: call get_event_log before ExitBootServices

On 03/13/2018 03:59 AM, Ard Biesheuvel wrote: > On 13 March 2018 at 07:47, Hans de Goede wrote: >> Hi, >> >> >> On 12-03-18 20:55, Thiebaud Weksteen wrote: >>> > ... >>> >>> Hans, you said you configured the tablet to use the 32-bit version of grub >>> instead >>> of 64.

Re: Regression from efi: call get_event_log before ExitBootServices

On Tue, Mar 13, 2018 at 9:47 AM, Hans de Goede wrote: > On 12-03-18 20:55, Thiebaud Weksteen wrote: >> Hans, you said you configured the tablet to use the 32-bit version of grub >> instead >> of 64. Why's that? > Because this tablet, like (almost?) all Bay Trail hardware

[PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module

This patch set is base on the efi-lock-down and keys-uefi branchs in David Howells's linux-fs git tree. https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi The main purpose is using the MOKx to blacklist kernel module. As the MOK (Machine Owner Key), MOKx

[PATCH 3/5] MODSIGN: load blacklist from MOKx

This patch adds the logic to load the blacklisted hash and certificates from MOKx which is maintained by shim bootloader. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi"

[PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list

When getting certificates list from UEFI variable, the original error message shows the state number from UEFI firmware. It's hard to be read by human. This patch changed the error message to show the appropriate string. The message will be showed as: [0.788529] MODSIGN: Couldn't get UEFI

[PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module

This patch adds the logic for checking the kernel module's hash base on blacklist. The hash must be generated by sha256 and enrolled to dbx/mokx. For example: sha256sum sample.ko mokutil --mokx --import-hash $HASH_RESULT Whether the signature on ko file is stripped or not, the

[PATCH 5/5] MODSIGN: check the attributes of db and mok

That's better for checking the attributes of db and mok variables before loading certificates to kernel keyring. For db and dbx, both of them are authenticated variables. Which means that they can only be modified by manufacturer's key. So the kernel should checks

[PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells

[PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list

When getting certificates list from UEFI variable, the original error message shows the state number from UEFI firmware. It's hard to be read by human. This patch changed the error message to show the appropriate string. The message will be showed as: [0.788529] MODSIGN: Couldn't get UEFI

[PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module

This patch set is base on the efi-lock-down and keys-uefi branchs in David Howells's linux-fs git tree. https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi The main purpose is using the MOKx to blacklist kernel module. As the MOK (Machine Owner Key), MOKx

Re: Regression from efi: call get_event_log before ExitBootServices

On 13 March 2018 at 10:23, Thiebaud Weksteen wrote: > On Tue, Mar 13, 2018 at 8:59 AM Ard Biesheuvel > wrote: > >> On 13 March 2018 at 07:47, Hans de Goede wrote: ... >> > Could the problem perhaps be that the new code for the

Re: Regression from efi: call get_event_log before ExitBootServices

On Tue, Mar 13, 2018 at 8:59 AM Ard Biesheuvel wrote: > On 13 March 2018 at 07:47, Hans de Goede wrote: > > Hi, > > > > > > On 12-03-18 20:55, Thiebaud Weksteen wrote: > >> > ... > >> > >> Hans, you said you configured the tablet to use the 32-bit

Re: Regression from efi: call get_event_log before ExitBootServices

Hi, On 12-03-18 22:02, Ard Biesheuvel wrote: On 12 March 2018 at 19:55, Thiebaud Weksteen wrote: On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote: On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote: On Mon, Mar 12, 2018 at 6:30 PM Ard Biesheuvel <

Re: Regression from efi: call get_event_log before ExitBootServices

On 13 March 2018 at 07:59, Ard Biesheuvel wrote: > On 13 March 2018 at 07:47, Hans de Goede wrote: >> Hi, >> >> >> On 12-03-18 20:55, Thiebaud Weksteen wrote: >>> > ... >>> >>> Hans, you said you configured the tablet to use the 32-bit version of

Re: Regression from efi: call get_event_log before ExitBootServices

On 13 March 2018 at 07:47, Hans de Goede wrote: > Hi, > > > On 12-03-18 20:55, Thiebaud Weksteen wrote: >> ... >> >> Hans, you said you configured the tablet to use the 32-bit version of grub >> instead >> of 64. Why's that? > > > Because this tablet, like (almost?) all Bay

Re: Regression from efi: call get_event_log before ExitBootServices

Hi, On 12-03-18 20:55, Thiebaud Weksteen wrote: On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote: On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote: On Mon, Mar 12, 2018 at 6:30 PM Ard Biesheuvel < ard.biesheu...@linaro.org> wrote: On 12 March 2018 at 17:01, Jeremy

I pray you receive my mail in a good faith

Good Day My Good Friend Let me start by introducing myself I am Mr. John Mark from Burkina Faso, I am writing you this letter based on latest development in my bank which i we like to bring you in. The sum of Twelve Million Five Hundred Thousand United State Dollars ($ 12.5Million) this is

Re: Regression from efi: call get_event_log before ExitBootServices

On Mon, Mar 12, 2018 at 10:03 PM Ard Biesheuvel wrote: > On 12 March 2018 at 19:55, Thiebaud Weksteen wrote: > > On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote: > > > >> On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote: > >> >